Navigation

Encrypt your home folder

Ubuntu offers to encrypt your home folder
during installation. If you decline the encryption and change your mind
later, you don’t have to reinstall Ubuntu. You can activate the
encryption with a few terminal commands.

Ubuntu uses eCryptfs for encryption. When you log in, your home
directory is automatically decrypted with your password. While there is a
performance penalty to encryption, it can keep private data
confidential, particularly on laptops that may be stolen.

Getting Started

Before doing any of this, you should ensure you have a backup of your
home directory and important files.

First, install the encryption utilities:

sudo apt-get install ecryptfs-utils cryptsetup

You’ll have to encrypt your home directory while you’re not logged
in. This means that you’ll need another user account with administrator
(sudo) privileges

Migrating Your Home Folder

Select your other, (temporary) user account on the login screen and log in with it.

Run the following command to encrypt your home directory, replacing user with the name of your user account:

sudo ecryptfs-migrate-home -u user

You’ll have to provide your user account’s password. After you do,
your home directory will be encrypted and you’ll be presented with some
important notes. In summary, the notes say:

You must log in as the other user account immediately – before a reboot!

A copy of your original home directory was made. You can restore the backup directory if you lose access to your files.

You should generate and record a recovery phrase.

You should encrypt your swap partition, too.

Log out and log back in as your original user account. Do not reboot your system before logging back in!

After you log in, click the Run this action now button to create a
recovery passphrase. Keep this passphrase somewhere safe – you’ll need
it if you have to manually recover your files in the future.

You can run the ecryptfs-unwrap-passphrase command to view this passphrase at any time.

Encrypting the Swap Partition

When you set up an encrypted home directory while installing Ubuntu,
your swap partition is also encrypted. After setting up home directory
encryption, you’ll also want to set up swap encryption. To do so, run
the following command in a terminal:

sudo ecryptfs-setup-swap

Note that an encrypted swap won’t work properly with Ubuntu’s hibernate feature – which is disabled by default, anyway.

Clean Up

After restarting your system once or twice and verifying everything
works properly, you can clean everything up. You can remove the backup home folder located in your
system’s /home directory. Run Nautilus as gksu nautilus to do so.